Security analysts from Check Point have released a report detailing the discovery of a long-running cyber espionage campaign targeting defense contractors, telcos and educational institutions. Researchers at the firm's malware and vulnerability research group uncovered the attack campaign named Volatile Cedar.
The campaign uses a custom-made malware trojan implant codenamed Explosive.
According to Check Point, this campaign has successfully penetrated a large number of targets across the globe since early 2012. During this period it allowed attackers to monitor victim's actions and steal data.
The security firm said it can confirm attacked entities to date include defense contractors, telecommunications and media companies, as well as educational institutions.
The first evidence of any Explosive version was detected in November 2012. Several versions have been detected since.
It said the nature of the attacks and associated repercussions suggest that the attacker's motives are not financial but aim to extract sensitive information from targets.
Volatile Cedar is a highly targeted and well-managed campaign. Its targets are carefully chosen, confining the infection spread to the bare minimum required to achieve the attacker's goal while minimising the risk of exposure.
Check Point head of incident response and threat intelligence, Dan Wiley, described the series of attacks as very interesting.
"The campaign has been continually and successfully operational through this entire timeline, evading detection through a well-planned and carefully managed operation that constantly monitors its victims' actions and rapidly responds to detection incidents."
"This is one face of the future of targeted attacks: malware that quietly watches a network, stealing data, and can quickly change if detected by antivirus systems. It's time for organisations to be more proactive about securing their networks."
The attacker group initially targets publicly facing web servers running Windows with both automatic and manual vulnerability discovery.
Once the attacker gains control over a server, they can use them as a pivot point to explore, identify, and attack additional targets located deeper inside the internal network. Check point said it has seen evidence of online manual hacking as well as an automated USB infection mechanism.